From 4a1035049647e85edea3dcaa9b2ed8942aa4c09f Mon Sep 17 00:00:00 2001
From: Osama Sayegh <asooomaasoooma90@gmail.com>
Date: Thu, 2 Jul 2020 19:52:37 +0300
Subject: [PATCH] FIX: Negative limit values shouldn't cause error 500 (#10162)

---
 app/controllers/tags_controller.rb    | 4 ++++
 spec/requests/tags_controller_spec.rb | 7 +++++++
 2 files changed, 11 insertions(+)

diff --git a/app/controllers/tags_controller.rb b/app/controllers/tags_controller.rb
index 16b697bf0c..1e86d108f2 100644
--- a/app/controllers/tags_controller.rb
+++ b/app/controllers/tags_controller.rb
@@ -214,6 +214,10 @@ class TagsController < ::ApplicationController
       exclude_has_synonyms: params[:excludeHasSynonyms]
     }
 
+    if filter_params[:limit] && filter_params[:limit].to_i < 0
+      raise Discourse::InvalidParameters.new(:limit)
+    end
+
     if params[:categoryId]
       filter_params[:category] = Category.find_by_id(params[:categoryId])
     end
diff --git a/spec/requests/tags_controller_spec.rb b/spec/requests/tags_controller_spec.rb
index 53b1cf96ba..3dbaab4ed9 100644
--- a/spec/requests/tags_controller_spec.rb
+++ b/spec/requests/tags_controller_spec.rb
@@ -707,6 +707,13 @@ describe TagsController do
           ['common1', 'common2', 'group1tag', 'group1tag2']
         )
       end
+
+      it 'returns error 400 for negative limit' do
+        get "/tags/filter/search.json", params: { q: '', limit: -1 }
+
+        expect(response.status).to eq(400)
+        expect(response.parsed_body['errors'].first).to eq(I18n.t('invalid_params', message: 'limit'))
+      end
     end
   end